b'             UNCLASSIFIED\n\n\n\n\n   United States Department of State\nand the Broadcasting Board of Governors\n       Office of Inspector General\n\n\n            Office of Audits\n\n\n\n\n     Review of Department of State\n     Information Security Program\n\n\n\n\n             AUD/IT-11-07\n\n             November 2010\n\n\n\n\n             UNCLASSIFIED\n\x0c                                                              L nited States Department of Statf\'\n                                                              and the Broadcasting Board        or\n                                                                                             Governorti\n\n                                                               OJJi(,P of I\'lspector Gem\'rnl\n\n\n\n\n                                             PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one of a series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effect ive management, accountability, and positive\nchange in the Department of State and the Broadcasting Board of Governors.\n\n       In accordance with the Federal Infonnation Security Management Act 0[2002 (FISMA),\nOIG performed a review of the Department of State Infonnation Security Program for FY 2010.\nTo perfonn this review, OIG contracted with the independent public accountant Williams, Adley\n& Company, LLP. The report is based on interviews with employees and officials of relevant\nagencies and institutions, direct observation, and a review of applicable documents .\n\n        The independent public accountant identified areas in which improvements could be\nmade, including system inventory, risk management framework, plans of actions and milestones,\nsecurity awareness training, security configuration management, remote access, identity and\naccount management, incident response handling, continuous mon itoring, contingency plans, and\noversi ght of contractor systems.\n\n        OIG evaluated the nature, extent, and timing of the independent public accountant\'s\nwork; monitored progress throughout the audit; reviewed supporting documentation; evaluated\nkey judgments; and perfornled other procedures as appropriate. OIG concurs with the findings,\nand the recommendations contained in the report were developed on the basis of the best\nknowledge available and were discussed in draft form with those individuals responsible for\nimplementation. OIG\'s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report .\n\n\n\n                                       Harold W. Geisel\n                                       Deputy Inspector General\n\x0c~l\nl\'         j.\'\n        \'~ 11 WILLIAMS\n                        ADLEY\n\n                                                                             November 12, 2010\n\n\n                   Review of Department of State Information Security Program\n\nOffice of Inspector General\nU.S. Department of State\nWashington, DC\n\nWilliams, Adley & Company, LLP (referred to as "we" in this letter), is pleased to provide the\nOffice of Inspector General (OIG) the results of the review of the Department of State\n(Department) Information Security Program for FY 2010. We reviewed the Department\'s\nInformation Security Program performance in compliance with the Federal Information Security\nManagement Act and Office of Management and Budget (OMB) and National Institute of\nStandards and Technology regulations, standards, and requirements. Additionally, the review was\nperformed to provide sufficient support for OIG in providing a response to OMB in accordance\nwith OMB Memorandum M-IO-15, FY 20iO Reporting instructions for the Federal Information\nSecurity Management Act and Agency Privacy Management, dated April 21, 2010.\n\nThis review, performed under Contract No. SAQMMAI0F2159, was designed to meet the\nobjectives identified in Appendix A, "Objectives, Scope, and Methodology," of the report. We\ncommunicated the results of our review and the related findings and recommendations to the\nDepartment\'s OIG.\n\nWe appreciate the cooperation provided by Department personnel during the review.\n\n\n\n\n                                  WILLIAMS, ADLEY & COMPANY-DC, LLP\n                            Certified Public Accountants I Management Consultants\n          1250 H Street, NW, Suite 1150 \xe2\x80\xa2 Washington, DC 20005 \xe2\x80\xa2 (202) 371 -1397    Fax: (202) 371 -9161\n                                            www.williamsadley .com\n\x0c                                                          UNCLASSIFIED\n\n\n\n\n                                                       Table of Contents\n\n\n                Executive Summary ...................................................................................................... 1\n                Background ................................................................................................................... 4\n                Results of Review ......................................................................................................... 5\nA.              FISMA System Inventory List Contained Retired Systems ......................................... 5\nB.              Risk Management Framework Needs To Be Improved ............................................... 5\nC.              Plans of Actions and Milestones Were Not Adequately Managed ............................... 6\nD.              Security Awareness Training Requirements Were Not Enforced ................................ 8\nE.              Security Configuration Management Needs Improvement ........................................ 10\nF.              Opennet Everywhere Software Package Had Significant Security Weaknesses ........ 11\nG.              Account Management in Active Directory Needs Improvement ............................... 12\nH.              Personally Identifiable Information Incidents Were Not Reported Timely................ 14\nI.              Continuous Monitoring Program Needs Improvement............................................... 14\nJ.              Contingency Plans Need To Be Updated.................................................................... 15\nK.              Oversight of Contractor Systems Requires Improvement ......................................... 15\nList of Recommendations ............................................................................................................. 18\nAcronyms .................................................................................................................................... 20\nAppendix A. Objectives, Scope, and Methodology ..................................................................... 21\nAppendix B. Follow-up of Recommendations From the FY 2009 FISMA Report .................... 23\nAppendix C. Department of State Response\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.26\n\n\n\n\n                                                          UNCLASSIFIED\n\x0c                                           UNCLASSIFIED\n\n\n\n                                          Executive Summary\n\n        In accordance with the Federal Information Security Management Act of 2002 (FISMA),1\nthe Office of Inspector General (OIG) contracted with Williams, Adley & Company, LLP\n(referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this report), to perform an independent review of the Department of State\n(Department) Information Security Program\xe2\x80\x9fs compliance with Federal laws, regulations, and\nstandards established by FISMA, the Office of Management and Budget (OMB), and the\nNational Institute of Standards and Technology (NIST). Additionally, the results are designed to\nassist OIG in providing a response to OMB Memorandum M-10-15, FY 2010 Reporting\nInstructions for the Federal Information Security Management Act and Agency Privacy\nManagement, dated April 21, 2010.\n\n        We reviewed the Department\xe2\x80\x9fs remedial actions taken to address the FY 2009 reported\nInformation Security Program control weaknesses identified in OIG\xe2\x80\x9fs FY 2009 report Review of\nthe Information Security Program at the Department of State. The statuses of the FY 2009\nreview recommendations are in Appendix B. Since FY 2009, the Department has taken steps to\nimprove management controls to include the following:\n\n           \xef\x82\xb7    Updated the Contingency Planning, Certification and Accreditation, and Annual\n                Control Assessment Toolkits to provide guidance to system owners.\n\n           \xef\x82\xb7    Initiated a pilot program for the Plan of Action and Milestones (POA&M) Grading\n                Memorandum.\n\n       Overall, we found that the Department has established and is maintaining an information\nsecurity program. However, to improve the program and to bring the program into compliance\nwith FISMA, OMB, and NIST requirements, the Department needs to make significant\nimprovements to address the following control weaknesses:\n\n           \xef\x82\xb7 System Inventory List\n               The Department\xe2\x80\x9fs inventory management processes and procedures do not ensure that\n               retired systems are immediately removed from the inventory of FISMA reportable\n               systems. Without an accurate FISMA system inventory list, the Department\xe2\x80\x9fs process\n               to support information resources management for technology planning, budgeting, and\n               acquisition may be hampered.\n           \xef\x82\xb7 Risk Management Framework\n               The security authorization process was not performed on all contractor systems, and\n               the security authorization packages had expired for four systems. These conditions\n               weaken the Department\xe2\x80\x9fs risk management framework because changes within the\n               systems and the systems\xe2\x80\x9f control environment may introduce new risks and\n               vulnerabilities into the Department\xe2\x80\x9fs environment.\n\n1\n    Pub. L. No. 107-347, title III.\n\n                                                                                                     1\n\x0c                                              UNCLASSIFIED\n\n\n        \xef\x82\xb7 Plans of Action and Milestones (POA&M)\n            The Department did not consistently record required resources for remediation of\n            security weaknesses and update remediation schedules to reflect actual performance,\n            all of which impeded the Department\xe2\x80\x9fs ability to assess and monitor the progress of\n            corrective actions.\n        \xef\x82\xb7 Security Awareness Training and Personnel Security\n            The Department did not identify all employees who had significant security\n            responsibilities and provide specialized training, as required by NIST.2\n        \xef\x82\xb7 Security Configuration Management\n            Twenty-four of 25 Windows systems tested were not compliant with the security\n            configuration guidance provided by the Bureau of Diplomatic Security (DS), and\n            seven of 25 systems did not have the vendor-required critical or high priority software\n            patches to be installed. Without sufficient configuration management, the\n            Department\xe2\x80\x9fs data may be exposed to loss of integrity and confidentiality because\n            configuration standards may not be implemented.\n      (b)(2)(b)(5)\n\n\n\n\n        \xef\x82\xb7 Account and Identity Management Program\n            From a population of approximately 83,000 Active Directory4 accounts, we found\n            approximately 1,000 guest, test, and temporary accounts; 8,000 accounts that had not\n            been used (never logged on); and 600 accounts that had passwords that were set so that\n            they would not expire. Therefore, these accounts are susceptible to being compromised\n            by unauthorized users for unauthorized purposes.\n        \xef\x82\xb7 Personally Identifiable Information Incidents\n            We found six instances in which the Department did not report personally identifiable\n            information (PII) data incidents to the Department of Homeland Security\xe2\x80\x9fs U.S.\n            Computer Emergency Readiness Team (US-CERT) within 1 hour of suspecting or\n            confirming a security breach, as required by OMB. Failure to notify US-CERT within\n            the required timeframe increases the risk to individuals that their PII data may be\n            misused. Also, the Department may be in violation of Federal law.\n\n\n\n\n2\n  NIST SP 800-16, \xe2\x80\x9cInformation Technology Training Requirements: Role- and Performance-Based Model.\xe2\x80\x9d\n3\n  NIST SP 800-67, \xe2\x80\x9cRecommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher.\xe2\x80\x9d\n4\n  Active Directory is a technology created by Microsoft that provides a variety of network services such as\nidentification and authentication, directory access, and other network services.\n\n                                                                                                              2\n\x0c                                               UNCLASSIFIED\n\n\n         \xef\x82\xb7 Continuous Monitoring\n            The scanning tools do not assess the Oracle configuration, the Department\xe2\x80\x9fs most\n            common database system, for configuration control weaknesses, which could\n            adversely impact application access controls.\n            Scanning results for routers, firewalls, and Demilitarized Zone servers were not\n            available in iPost;5 therefore, the results were not used in risk scoring.\n         \xef\x82\xb7 Contingency Planning\n\n            A contingency plan did not exist for one system, and the Department had not\n            performed a continuity of operations test of that system. Without testing the\n            contingency plan at the system level, the Department cannot evaluate the plan\xe2\x80\x9fs overall\n            effectiveness, identify significant weaknesses, and ensure that corrective actions are\n            taken.\n\n         \xef\x82\xb7 Oversight of Contractors\n            A contract for one contractor system did not contain the required information security\n            clauses from Department of State Acquisition Regulations (DOSAR). The lack of\n            information security requirements increases the risk that contractor systems possess\n            inadequate security controls and make other Department software and hardware\n            vulnerable to unauthorized access, use, disclosure, disruption, modification, or\n            destruction.\n            The Department did not have an effective mechanism in place to identify the total\n            number of contractors who had access to and privileges within the Department\xe2\x80\x9fs\n            network, applications, databases, and data. As a result, the Department could not\n            accurately determine whether contractor personnel had received the required\n            information security awareness training and had gone through the proper security\n            clearance process.\n        Although this report contains 15 recommendations to the Department, the most\nsignificant recommendations are highlighted as follows:\n\n         \xef\x82\xb7 Ensure that contractor systems go through the security authorization process, including\n         completion of a risk assessment and implementation of necessary security controls.\n\n         \xef\x82\xb7 Develop a process to periodically review the POA&Ms to ensure that the needed\n         resources, including the costs of goods and personnel, required to remediate security\n         weaknesses are accurately recorded and accurate milestones and planned actions are\n         documented.\n\n         \xef\x82\xb7 Define and identify personnel who have significant security responsibilities and\n         ensure that they receive appropriate training.\n\n5\n iPost is a system that provides the ability to monitor outputs of the various network monitoring applications. It\nallows key personnel to monitor network, computer, and application resources; check for potential problems; initiate\ncorrective actions; and gather performance, compliance, and security data for near real-time and historical reporting.\n\n                                                                                                                     3\n\x0c                                            UNCLASSIFIED\n\n\n\n        \xef\x82\xb7 Ensure that the Department completes the end-to-end configuration management\n        initiative, including implementation of the standard operating environment.\n\n        \xef\x82\xb7 Install an NIST-approved encryption algorithm that controls access to OpenNet\n        Everywhere (ONE).6 Also, procedures should be established to efficiently and effectively\n        identify the total number of contractor personnel who have access to the Department\xe2\x80\x9fs\n        systems.\n\n        We provided copies of the draft report to Department officials on October 29, 2010, and a\nrevised draft on November 5, 2010. In its November 8, 2010, response (see Appendix C) to the\ndraft report, the Department generally concurred with nine recommendations but did not indicate\nconcurrence or nonconcurrence with six recommendations. Based on the response, OIG\nmodified two recommendations (Nos. 3 and 12), both of which are considered resolved, pending\nfurther action. Also based on the response, OIG considers 10 additional recommendations\nresolved, pending further action; two recommendations closed; and one recommendation\nunresolved.\n\n        The Department\xe2\x80\x9fs responses to the recommendations and OIG\xe2\x80\x9fs replies to the responses\nare presented after each recommendation.\n\n                                              Background\n        FISMA recognized the importance of information security to the economic and national\nsecurity interests of the United States. FISMA requires each Federal agency to develop,\ndocument, and implement an agency-wide program to provide information security for the\ninformation systems that support the operations and assets of the agency, including those\nprovided or managed by another agency, contractor, or other source. FISMA provides a\ncomprehensive framework for establishing and ensuring the effectiveness of management,\noperational, and technical controls over IT that supports Federal operations and assets, and it\nprovides a mechanism for improved oversight of Federal agency information security programs.\n\n        FISMA assigns specific responsibilities to Federal agencies, NIST, and OMB in order to\nstrengthen information system security. In particular, FISMA requires the head of each agency\nto implement policies and procedures to cost effectively reduce IT security risks to an acceptable\nlevel. To ensure the adequacy and effectiveness of information system controls, FISMA requires\nagency program officials, chief information officers, senior agency officials for privacy, and\ninspectors general to conduct annual reviews of the agency\xe2\x80\x9fs information security program and\nreport the results to OMB.\n\n       On an annual basis, OMB provides guidance with reporting categories and questions for\nmeeting the current year\xe2\x80\x9fs reporting requirements. OMB uses this data to assist in its oversight\nresponsibilities and to prepare its annual report to Congress on agency compliance with FISMA.\n\n6\n OpenNet Everywhere (ONE) is a program that allows users to access OpenNet from any computer with an Internet\nconnection, allowing access to email and Intranet resources.\n\n                                                                                                            4\n\x0c                                        UNCLASSIFIED\n\n\n                                      Results of Review\n        Overall, based on our review, we concluded that the Department had established and is\nmaintaining an Information Security Program. However, the Department needs to make\nsignificant improvements to address the control weaknesses noted to improve the program and to\nbring the program into compliance with FISMA, OMB, and NIST requirements.\n\n   A. FISMA System Inventory List Contained Retired Systems\n        We found that the Department did not maintain an accurate inventory of FISMA-\nreportable systems. Specifically, both the third and the fourth quarter FISMA inventory lists\nconsisted of six systems that were designated as retired systems in the ITAB. The six systems\nare Case Management System, Compliance Analysis & Tracking System, Cultural Connect\nEnvoys Workflow, Post Exchange Visitor Database, Exchanges Information System, and Gifts\nTracking Database. OMB Memorandum M-10-15 states that all of the agency\xe2\x80\x9fs information\nsystems should be included as part of the FISMA inventory report.\n\n       The inventory was inaccurate because the ITAB team did not consult with the Bureau of\nInformation Resource Management, Office of Information Assurance (IRM/IA), on the FISMA-\nreportable systems that were being retired. In addition, IRM/IA officials manually reconciled the\nFISMA inventory report to the ITAB reports, which resulted in errors that may not have occurred\nunder electronic processes.\n\n       Without an accurate FISMA system inventory list, the Department\xe2\x80\x9fs process to support\ninformation resources management for technology planning, budgeting, and acquisition may be\nhampered.\n\n       Recommendation 1. We recommend that the Chief Information Officer verify the\n       Federal Information Security Management Act systems inventory list to the Information\n       Technology Asset Baseline to ensure that all information technology systems are\n       accurately accounted for.\n\n       Management Comments: The Department concurred with the recommendation, stating\n       that it \xe2\x80\x9cexpect[s] to remove the retired systems in the FISMA inventory in the next\n       quarter in which action such as an annual test or security authorization is required for that\n       system.\xe2\x80\x9d\n\n       OIG Analysis: Based on the response, OIG considers the recommendation resolved.\n       This recommendation can be closed when OIG reviews and accepts documentation\n       showing that the retired systems have been removed from the FISMA inventory.\n\n   B. Risk Management Framework Needs To Be Improved\n       The Department\xe2\x80\x9fs risk management framework includes an enterprise-wide security\nauthorization process and ongoing efforts to use automated tools for continuous monitoring.\n\n\n                                                                                                   5\n\x0c                                                UNCLASSIFIED\n\n\nHowever, we found weaknesses related to the security authorization process, including the\nsecurity authorization packages.\n\n    \xef\x82\xb7 (b)(2)(b)(5)\n                                                                                                         7\n                                                                                          The\n         security authorization process was not performed for contractor systems because the\n         current Certification and Accreditation Toolkit (a procedure) does not require a separate\n         security authorization for unclassified systems that are rated low impact and low cost.\n         OMB Memorandum M-10-15 states that security controls \xe2\x80\x9care required for all federal\n         information systems\xe2\x80\x9d and that the security controls \xe2\x80\x9cmust be assessed against the same\n         NIST criteria and standards as if they were a Government-owned or \xe2\x80\x93operated system.\xe2\x80\x9d\n\n    \xef\x82\xb7    Also, of a sample of 30 systems, we found that security authorization packages8 for four\n         systems (b)(2)(b)(5)\n\n                                   had expired on May 31, 2010, which exceeded their 3-year\n         timeframe for authorization to process in accordance with OMB Circular A-130,\n         Appendix III.9 Officials from IRM/IA stated that the four security packages had expired\n         because of contractual issues with the vendor, which delayed the security testing and\n         impacted the timelines of the security authorization process.\n\n        The lack of current security authorization packages weakens the Department\xe2\x80\x9fs\nrisk management framework because changes within the systems and the systems\xe2\x80\x9f\ncontrol environment may introduce new risks and vulnerabilities into the Department\xe2\x80\x9fs\nenvironment.\n\n         Recommendation 2. We recommend that the Chief Information Security\n         Officer ensure that systems operated by a contractor, including systems rated\n         low cost and low impact, go through the security authorization process,\n         including completion of a risk assessment and implementation of necessary\n         security controls, and that security authorization packages are completed on a\n         timely basis.\n\n         Management Comments: In its response, the Department requested that references to\n         low-cost and/or low-impact systems be removed because NIST SP 800-37 \xe2\x80\x9cgives federal\n         agencies considerable discretion in the selection of system accreditation boundaries\xe2\x80\x9d and\n         OMB A-130, Appendix III, \xe2\x80\x9conly requires certification and accreditation . . . for major\n\n7\n  A system is considered high cost if any one of the following conditions is true: (a) The system is a general support\nsystem, (b) the system is an OMB A-11 Exhibit 300 submission or its components, (c) the system requires more than\nfour full-time-equivalent staff in a single year, or (d) the total costs are more than $2 million in a fiscal year. If a\nsystem\xe2\x80\x9fs cost does not meet any of these criteria, it is considered low cost.\n8\n  The security authorization package contains key documents such as the security plan, security assessment report,\nand POA&Ms (if applicable).The senior organization official uses content from the security authorization package\nand input from key officials to make a security authorization decision.\n9\n  OMB Circular A-130, Management of Federal Information Resources, app. 3, Security of Federal Automated\nInformation Resources.\n\n                                                                                                                      6\n\x0c                                      UNCLASSIFIED\n\n\n       information systems.\xe2\x80\x9d The Department further stated that it had included low impact and\n       low cost systems within the accreditation boundary of the systems on which they run.\n\n       OIG Analysis: OMB Memorandum M-10-15 states, \xe2\x80\x9cSmaller \xe2\x80\x9esystems\xe2\x80\x9f and\n       \xe2\x80\x9eapplications\xe2\x80\x9f [which are not major applications or general support systems] may be\n       included as part of the assessment of a larger system-as allowable in NIST guidance and\n       provided [that] an appropriate risk assessment is completed and security controls are\n       implemented.\xe2\x80\x9d Subsequent inquiries indicated that security assessments were not\n       conducted on the three contractor systems during FY 2010. Since the Department did not\n       address the issue of security assessments for the contractor systems, OIG considers the\n       recommendation unresolved. This recommendation can be considered resolved when the\n       Department shows that the contractor systems were tested as part of a major application\n       or general support system and the security application packages have been completed for\n       the four systems.\n\n   C. Plans of Action and Milestones Were Not Adequately Managed\n       We found that the Department had not adequately developed a POA&M process. OMB\nMemorandum M-02-01, Guidance for Preparing and Submitting Security Plan of Action and\nMilestones, states that POA&Ms should include the estimated funding resources required to\nresolve the weakness as well as the anticipated source of funding. The original milestone\ncompletion date should not be changed, but a new completion date should be added instead.\nFurther, this guidance requires the POA&M to also identify other non-funding obstacles and\nchallenges to resolve the weakness, for example, the lack of personnel or expertise or\ndevelopment of a new system to replace insecure legacy systems.\n\n       The purpose of the POA&M is to assist agencies in identifying, assessing, prioritizing,\nand monitoring the progress of corrective actions for security weaknesses found in programs and\nsystems. The POA&M is used by OMB to assist in its oversight responsibilities and to inform\nthe budget process.\n\n        As part of its efforts to improve the POA&M process, IRM/IA has a pilot program that\nissues POA&M report memorandums to bureaus and offices. However, we found that the\nDepartment had not taken the following actions required by OMB:\n\n       \xef\x82\xb7   Consistently recorded required resources for remediation of security weaknesses.\n\n       \xef\x82\xb7   Updated remediation schedules to reflect actual performance. Specifically, five of 13\n           security weaknesses tested were 120 or more days behind schedule, and the milestone\n           changes, if applicable, were not recorded.\n\n       These conditions occurred because the Department had not consistently reviewed and\nmaintained POA&M corrective actions for security weaknesses.\n\n\n\n\n                                                                                               7\n\x0c                                          UNCLASSIFIED\n\n\n        OMB10 requires the cost to close actions to be tracked, including the cost of resources\nrequired, and a determination to be made as to whether the costs are already within the budget.\nThe cost to close actions should also include all goods (things) and services (people) needed to\nclose the action. Without the proper review and maintenance of POA&M activities, IT\nmanagement may not be aware of the status of corrective actions. As a result, delays in the\nimplementation of corrective actions may not be appropriately identified and resolved in a timely\nmanner.\n\n       Recommendation 3. We recommend that the Chief Information Officer develop a\n       process to periodically update the resources recorded in the plans of action and milestones\n       (POA&M) and that it update, in the POA&Ms, those completion dates for corrective\n       actions that have expired.\n\n        Management Comments: The Department stated, \xe2\x80\x9cGiven the changes to reporting\n        requirements under CyberScope [the CyberScope web application supports an OMB\n        initiative to automate collection and reporting of FISMA requirements], the Department\n        will seek [Department of Homeland Security] . . . clarification on the desired timeliness\n        and level of aggregation of these updates.\xe2\x80\x9d\n\n        OIG Analysis: Based on the response, OIG modified this recommendation to delete\n        reference to POA&M prioritization. This recommendation can be closed when OIG\n        reviews and accepts documentation showing the process the Department has developed\n        regarding updates in the POA&Ms.\n\n     D. Security Awareness Training Requirements Were Not Enforced\n       In the FY 2009 FISMA review, OIG reported that the Student Training Management\nSystem (STMS) does not track courses that employees take annually to meet continuing\nprofessional education requirements. In addition, management did not receive a report\nperiodically showing which training courses employees who had significant security\nresponsibilities had attended.\n\n       The Department is working to address the findings identified in the FY 2009 FISMA\nreview. For example, IRM/IA, DS, and FSI have reestablished the Awareness, Training,\nEducation, and Professionalism Working Group, which addresses both the awareness training\nand the training of staff who have significant IT security responsibilities.\n\n       However, during the 2010 FISMA review, we found that the Department did not identify\nall employees who had significant security responsibilities and had not provided all of those\nemployees with specialized training, as required by NIST SP 800-16.11\n\n      By not properly training its employees who have significant security responsibilities, the\nDepartment increases its risk of security incidents, breaches, or loss of sensitive data. Training\n\n10\n   OMB Memorandum M-04-25, FY 2004 Reporting Instructions for the Federal Information Security Management\nAct.\n11\n   NIST SP 800-16, \xe2\x80\x9cInformation Technology Training Requirements: Role- and Performance-Based Model.\xe2\x80\x9d\n\n                                                                                                        8\n\x0c                                       UNCLASSIFIED\n\n\nenhances the awareness of all personnel and ensures the protection of the Department\xe2\x80\x9fs\ninformation systems.\n\n       Recommendation 4. We recommend that the Chief Information Officer, the Foreign\n       Service Institute, and the Bureau of Diplomatic Security implement methods to enforce\n       the security awareness policy to suspend a user\xe2\x80\x9fs access if the user has not taken the\n       Cyber Security Awareness course within the required timeframe.\n\n       Recommendation 5. We recommend that the Chief Information Officer, the Foreign\n       Service Institute, and the Bureau of Diplomatic Security complete the Department of\n       State\xe2\x80\x9fs corrective action plan (which involves Active Directory, security awareness\n       completion data, and iPost) to enforce the security awareness policy to suspend a user\xe2\x80\x9fs\n       access if the Cyber Security Awareness course is not taken within the required timeframe.\n\n       Management Comments and OIG Analysis: The Department provided additional\n       information for Recommendations 4 and 5 showing that only one user had not taken the\n       required security awareness training. Based on the response, OIG considers both\n       recommendations closed.\n\n       Recommendation 6. We recommend that the Chief Information Officer and the Bureau\n       of Diplomatic Security define and identify personnel who have significant security\n       responsibilities and ensure that they receive the appropriate training. Also, the Student\n       Training Management System should be modified to capture other training systems, such\n       as those paid for by the Department of State, to meet continuing professional education\n       requirements.\n\n       Management Comments: The Department agreed with the recommendation, stating\n       that DS will have \xe2\x80\x9cprimary responsibility for identification of personnel with significant\n       security responsibility\xe2\x80\x9d and that IRM \xe2\x80\x9cwill be consulted for policy guidance.\xe2\x80\x9d The\n       Department further stated that DS had set aside funding in FY 2011 to conduct an\n       analysis of the best method for identifying and tracking personnel with significant\n       security responsibility and that the Department will use existing resources, such as STMS\n       and a Bureau of Human Resources system (GEMS), \xe2\x80\x9cto determine the most cost-effective\n       method of extracting and presenting relevant data from these systems\xe2\x80\x9d after the personnel\n       with significant security responsibility have been identified.\n\n       OIG Analysis: Based on the response, OIG considers the recommendation resolved.\n       This recommendation can be closed when OIG reviews and accepts documentation\n       showing that personnel with significant security responsibility have been identified and\n       trained and that STMS has been modified to capture the information requested.\n\n\n\n\n                                                                                                  9\n\x0c                                            UNCLASSIFIED\n\n\n     E. Security Configuration Management Needs Improvement\n\n       In the FY 2009 FISMA review, OIG reported that the implementation and monitoring of\nconfiguration management controls, including the scanning process, were decentralized and were\nshared among bureaus, ISSOs, and IRM/IA. Furthermore, the prior year\xe2\x80\x9fs review found that\nmore than half of the 23 in-scope systems reviewed had exceptions. The Chief Information\nOfficer has been working on addressing the findings identified in the FY 2009 FISMA review.\nFor example, the Department is drafting guidance on cyber security architecture, which will\ninclude the current need for strong configuration management. In addition, the Department is\nworking on an initiative for end-to-end configuration management, which will provide a secure\noperating environment, centralized management of enterprise workstations and server\nconfigurations, and implementation of central patch management.\n\n       Although the Chief Information Officer is taking actions, we found deficiencies in the\nconfiguration management process as follows:\n\n        \xef\x82\xb7   Of a sample of 25 systems, 24 systems were not fully compliant with the security\n            configuration guidance provided by DS. For example, some systems did not contain\n            the registry settings12 required by DS. For all systems that had deficiencies, there\n            was no evidence of exceptions or waivers by the Chief Information Security Officer.\n            According to the FAM,13 system owners are required to obtain approval from the\n            Chief Information Security Officer for waivers, exceptions, and deviations from\n            information security controls. In addition, the FAM14 requires hardware and software\n            to be \xe2\x80\x9capproved and configured in accordance with Department security\n            configuration guidelines.\xe2\x80\x9d\n\n        \xef\x82\xb7   Of another sample of 25 systems, seven systems did not have the vendor-required\n            critical or high priority software patches installed.\n\n       FISMA requires each agency to develop minimally acceptable system configuration\nrequirements and ensure compliance with them. Standard security configurations provide a\nbaseline level of security, reduce risk from security threats and vulnerabilities, and save time and\nresources.\n\n         Responsibility for the implementation of configuration management controls for the\nsystems, operating systems, databases, and network, including the scanning process, was\ndecentralized because of the IT architecture. Even though DS and IRM may identify security\nconfiguration deficiencies and out-of-date software patches, the system owners are responsible\nfor the operations to bring their systems into compliance. To correct these weaknesses, the\nDepartment is in the process of implementing the end-to-end configuration management\ninitiative, which includes a standard operating environment to support development of strong\n\n12\n   Registry settings store the configuration settings and options on Microsoft Windows systems.\n13\n   5 FAM 1065.3-2, \xe2\x80\x9cRequests for Waivers, Exceptions, and Deviations.\xe2\x80\x9d\n14\n   12 FAM 625.2, \xe2\x80\x9cAdministrative Security,\xe2\x80\x9d and 12 FAM 635.2,\xe2\x80\x9d Administrative Security: Authorized Use of\nMicrocomputers.\xe2\x80\x9d\n\n                                                                                                            10\n\x0c                                             UNCLASSIFIED\n\n\nconfiguration management plans for the computing environments commonly used throughout the\nDepartment.\n\n       Configuration management controls allow agencies to improve system performance,\ndecrease operating costs, and ensure public confidence in the confidentiality, integrity, and\navailability of Government information. Without sufficient configuration management, the\nDepartment\xe2\x80\x9fs data may be exposed to loss of integrity and confidentiality because configuration\nstandards may not be implemented.\n\n           Recommendation 7. We recommend that the Chief Information Officer complete the\n           end-to-end configuration management initiative, including implementation of the\n           standard operating environment.\n\n           Management Comments: The Department agreed with the recommendation, stating that\n           patch management had been centralized to more than half of the Department, with \xe2\x80\x9cfull\n           coverage\xe2\x80\x9d scheduled for completion in FY 2011. The Department further stated,\n           \xe2\x80\x9cAutomated enforcement of configuration standards is . . . being piloted with broader\n           deployment expected over the next two fiscal years.\xe2\x80\x9d\n\n           OIG Analysis: Based on the response, OIG considers the recommendation resolved.\n           The recommendation can be closed when OIG reviews and accepts documentation\n           showing that the end-to-end configuration management initiative has been implemented.\n\n       F. OpenNet Everywhere Software Package Had Significant Security\n          Weaknesses\n      OpenNet Everywhere (ONE) is a program that allows users to access OpenNet from any\ncomputer with an Internet connection, allowing access to email and Intranet resources.\n(b)(2)(b)(5)\n\n\n\n\n           (b)(2)(b)(5)\n\n\n\n\n        For 19 of 25 employees tested, the Department did not maintain approval documentation\nto support supervisory approval of remote access privileges. The FAM17 states, \xe2\x80\x9cA U.S. citizen\ndirect-hire supervisor and either management officer or executive director must: (1) Approve in\nwriting all requests for remote access by individual users.\xe2\x80\x9d\n\n     (b)(2)(b)(5)\n\n\n\n17\n     12 FAM 682.2-2, \xe2\x80\x9cRemote Access Management Responsibilities.\xe2\x80\x9d\n\n                                                                                               11\n\x0c                                         UNCLASSIFIED\n\n\n\n       In addition, the Department did not maintain documentation that supported the electronic\nauthentication level assessment for ONE. OMB Memorandum M-04-04, E-Authentication\nGuidance for Federal Agencies, requires agencies to review new and existing electronic\ntransactions to ensure that authentication processes provide the appropriate level of assurance.\n\n          (b)(2)(b)(5)\n\n\n\n\n       In addition, the Department did not follow its policy to approve in writing all user\nrequests for remote access.\n\n          (b)(2)(b)(5)\n\n\n\n\n          Recommendation 8. We recommend that the Chief Information Officer (b)(2)(b)(5)\n\n\n                                                                            and document the\n          necessary risk assessment to determine the electronic authentication level for ONE.\n\n          Management Comments: The Department concurred with the recommendation, stating\n          that ONE will be replaced by a new system, Global OpenNet, (b)(2)(b)(5)\n\n\n          OIG Analysis: Based on the response, OIG considers this recommendation resolved.\n          (b)(2)(b)(5)\n\n\n\n\n      G. Account Management in Active Directory Needs Improvement\n        The Department needs to improve account management procedures and processes in\nActive Directory, which is used to manage all network users\xe2\x80\x9f accounts. For example, we found\nthree active accounts for 25 separated personnel. According to the FAM,18 personnel officers\n\n18\n     12 FAM 621.3-3, \xe2\x80\x9cSystem Access.\xe2\x80\x9d\n\n                                                                                                12\n\x0c                                               UNCLASSIFIED\n\n\nmust notify the data center manager, the system manager, and the ISSO immediately of any\nemployee or contractor who has access to the system whose employment is being terminated for\nany reason so that access privileges can be revoked. In addition, from a population of\napproximately 83,000 Active Directory accounts, we found the following:\n        \xef\x82\xb7   Approximately 1,000 guest, test, and temporary accounts. The FAM19 requires the\n            removal of default user accounts and passwords. The FAM 20states that the\n            Department may not maintain permanent user accounts and passwords on systems for\n            visitors, training, demonstrations, or other purposes.\n        \xef\x82\xb7   Approximately 8,000 accounts that have not been used (never logged on). The FAM21\n            requires user privileges to be reviewed annually to verify that privileges are still\n            appropriate.\n        \xef\x82\xb7   Approximately 600 accounts with passwords set not to expire. The FAM22 requires\n            passwords to be changed at least every 60 days.\n       The Active Directory weaknesses occurred because the Department did not perform an\nannual review and recertification of users\xe2\x80\x9f privileges. In addition, the Active Directory\nadministrator did not use the Active Directory automated account management tools to identify\naccounts that had not been used for an extended period of time.\n\n        As a result of these weaknesses, the Department increases its risk that guest, test,\ntemporary accounts, and active accounts that are no longer needed may be used by unauthorized\nusers for unauthorized purposes. Additionally, accounts set with passwords that do not expire\nincreases the potential for an account password to be obtained by unauthorized users.\n\n        Recommendation 9. We recommend that the Chief Information Officer enhance the\n        Active Directory account management automated tools to flag accounts that have not\n        been used within the past 60 days and ensure that all accounts are configured with\n        passwords that expire every 60 days.\n\n        Recommendation 10. We recommend that the Chief Information Officer ensure that\n        program managers and office managers annually review access privileges of users under\n        their supervision so that the number of guest, test, and temporary accounts and accounts\n        that have not been used is reduced.\n\n        Management Comments: IRM concurred with both recommendations, stating\n        that the continuous monitoring approach (described in Finding I) will include\n        accounts with passwords set to expire in 60 days and passwords set never to\n        expire. The Department further stated that accounts not compliant with this\n        standard \xe2\x80\x9cnegatively impact site scores\xe2\x80\x9d and that the \xe2\x80\x9c\xe2\x80\x9fmanager\xe2\x80\x9f field in Active\n        Directory identifies the individual responsible for all accounts.\xe2\x80\x9d\n\n\n19\n   12 FAM 629.2-2, \xe2\x80\x9cAdministrative Security\xe2\x80\x9d\n20\n   12 FAM 622.1-3, \xe2\x80\x9cPassword Controls.\xe2\x80\x9d\n21\n   Ibid.\n22\n   Ibid.\n\n                                                                                                13\n\x0c                                       UNCLASSIFIED\n\n\n       OIG Analysis: Based on the response, OIG considers both recommendations resolved.\n       These recommendations can be closed when OIG reviews and accepts documentation\n       showing that the continuous monitoring program includes accounts with passwords\n       exceeding 60 days and passwords set to never to expire.\n\n   H. Personally Identifiable Information Incidents Were Not Reported\n      Timely\n       We found six of 10 instances in which the Department did not report PII data incidents to\nthe US-CERT within 1 hour of suspecting or confirming a security breach, as required by OMB\nMemorandum M-06-19, Reporting Incidents Involving Personally Identifiable Information and\nIncorporating the Cost for Security in Agency Information Technology Investments.\nMemorandum M-06-19 requires agencies to report all incidents involving PII to the US-CERT\nwithin 1 hour of discovering an incident. The memorandum also clarifies that the reporting of all\nincidents involving PII should be in electronic or physical form and should not distinguish\nbetween suspected and confirmed breaches.\n\n       However, failure to notify US-CERT within the required timeframe increases the risk to\nindividuals that their PII data may be misused. Additionally, the Department may be in violation\nof Federal law because of untimely notification of PII incidents.\n\n       Recommendation 11. We recommend that the Bureau of Diplomatic Security\n       implement proper staff awareness through training and have shift supervisors, as part of\n       the shift-change procedures, ensure that personally identifiable information data incidents\n       are reported to the U.S. Computer Emergency Readiness Team within the required 1-hour\n       timeframe.\n\n       Management Comments: In its response to the recommendation, the Department stated\n       that it is \xe2\x80\x9ccommitted to meeting the requirement of reporting PII data incidents to US-\n       CERT\xe2\x80\x9d in accordance with \xe2\x80\x9cDepartment policy . . . and the Computer Incident Response\n       Team\xe2\x80\x9fs (CIRT) standard operating procedures.\xe2\x80\x9d The Department further stated that the\n       CIRT has assigned an analyst who will monitor the incident in-box for PII reports and\n       assign incoming PII reports\xe2\x80\x9f priority status for evaluation. In addition, according to the\n       Department, DS is continuing to develop its new \xe2\x80\x9cticket tracking database,\xe2\x80\x9d which will\n       enable CIRT \xe2\x80\x9cto automatically designate incoming PII reports priority status.\xe2\x80\x9d\n\n        OIG Analysis: Based on the response, OIG considers the recommendation resolved.\n       This recommendation can be closed when OIG reviews and accepts documentation\n       showing that PII incidents are being sent to US-CERT within the 1-hour timeframe.\n\n   I. Continuous Monitoring Program Needs Improvement\n        To fulfill OMB and NIST continuous monitoring requirements, the Department is taking\nactions by using iPost to monitor its security controls, implement configuration management, and\nreport on security status to appropriate Department officials. iPost routinely makes scanning\nresults available to system owners, and the risk scoring reports and associated quarterly\n\n                                                                                                14\n\x0c                                              UNCLASSIFIED\n\n\nnotifications to responsible system owners raise the visibility of configuration management\nweaknesses and provided plans for correction.\n\n       However, as identified in the FY 2009 FISMA review, continuous monitoring controls\ndid not address the following significant risks:\n           \xef\x82\xb7   The scanning tools do not assess the Oracle configuration, the Department\xe2\x80\x9fs most\n               common database system, for configuration control weaknesses, which could\n               adversely impact application access controls.\n           \xef\x82\xb7   Scanning results for routers, firewalls, and Demilitarized Zone servers were not\n               available in iPost; therefore, these results were not used in risk scoring.\n      As stated in NIST\xe2\x80\x9fs \xe2\x80\x9cFrequently Asked Questions: Continuous Monitoring, June 1,\n          23\n2010,\xe2\x80\x9d organizations are required to develop a continuous monitoring strategy for their\ninformation systems and environments in which those systems operate.\n\n       Because of the lack of an enterprise-wide continuous monitoring strategy, security\nweaknesses of relevant IT components, such as databases and network devices, were not\nincluded in iPost.\n\n        A rigorous and well-executed continuous monitoring program significantly reduces the\nlevel of effort required for the reauthorization of the information system. Continuous monitoring\nactivities are scaled in accordance with the security categorization of the information system.\nSenior officials can use this information to take appropriate risk mitigation actions and make\ncost-effective, risk-based decisions regarding the operation of their respective information\nsystems.\n\n           Recommendation 12. We recommend that the Chief Information Officer include, under\n           its continuous monitoring program scanning results for databases, firewalls, routers, and\n           switches and include the results in the Risk Scoring Program dashboard.\n\n           Management Comments: In its response to the recommendation, the Department stated\n           that documentation supporting the continuous monitoring strategy had been provided to\n           OIG.\n\n           OIG Analysis: Based on the response, OIG considers the recommendation resolved. The\n           recommendation can be closed when OIG reviews and accepts documentation showing\n           that the Risk Scoring Program dashboard includes the systems components shown in the\n           recommendation.\n\n       J. Contingency Plans Need To Be Updated\n       We found that a contingency plan did not exist for the State Messaging and Archive\nRetrieval Toolset (SMART) system and that the Department had not performed a continuity of\n\n\n23\n     NIST SP 800-37, rev. 1, \xe2\x80\x9cGuide for Applying the Risk Management Framework to Federal Information Systems.\xe2\x80\x9d\n\n                                                                                                             15\n\x0c                                            UNCLASSIFIED\n\n\noperations test of the SMART system. According to the FAM,24 the data center manager and the\nsystem manager must update each contingency plan annually or when major modifications\noccur.\n\n        According to the Bureau of Administration, Office of Emergency Management, the\nContinuity of Operations\xe2\x80\x93Communications Plan is undergoing revision. The plan was evaluated\nand discussed during an OIG inspection25 and by the Department of Homeland Security\xe2\x80\x9fs\nFederal Emergency Management Agency during Continuity Exercise Eagle Horizon 2010. The\nSMART contingency plan is still in draft form because a secondary (or backup) site for SMART\nhas not been identified, causing the delay in finalizing the contingency plan.\n\n        Without testing the contingency plan at the system level, the Department cannot evaluate\nthe plan\xe2\x80\x9fs overall effectiveness, identify significant weaknesses, and ensure that corrective\nactions are made.\n\n        Recommendation 13. We recommend that the Chief Information Officer identify the\n        secondary site for the State Messaging and Archive Retrieval Toolset (SMART) system\n        and complete development of the SMART\xe2\x80\x9fs system contingency plan.\n\n        Management Comments: The Department concurred with the recommendation, stating\n        that a secondary site had been identified and the completed contingency plan and\n        contingency system would be developed and tested by September 2011.\n\n        OIG Analysis: Based on the response, OIG considers the recommendation resolved.\n        This recommendation can be closed when OIG reviews and accepts documentation\n        showing that the contingency plan and system were tested by the date specified.\n\n     K. Oversight of Contractor Systems Requires Improvement\n        The Department did not consistently maintain required documentation for contractor\nsystems; for example, a contract for one system did not contain the required information security\nclauses from the DOSAR. The DOSAR26 states that all offers and bids submitted in response to\nsolicitations must address the approach for completing the security plan and certification and\naccreditation requirements as required.\n\n        We also found that the Department did not have an effective mechanism in place to\nidentify the total number of contractors who had access to and privileges within the\nDepartment\xe2\x80\x9fs network, applications, databases, and data. According to OMB Memorandum M-\n10-15, \xe2\x80\x9cAgencies must develop policies for information security oversight of contractors and\nother users with privileged access to Federal data. Agencies must also review the security of\nother users with privileged access to Federal data and systems.\xe2\x80\x9d\n\n\n\n24\n   12 FAM 622.3-2, \xe2\x80\x9cContingency Plan Preparation.\xe2\x80\x9d\n25\n   The Bureau of Administration\xe2\x80\x99s Office of Emergency Management (ISP-I-10-43, July 2010).\n26\n   DOSAR 652.239-70, \xe2\x80\x9cInformation Technology Security Plan and Accreditation.\xe2\x80\x9d\n\n                                                                                               16\n\x0c                                       UNCLASSIFIED\n\n\n        The process to provide oversight to contractor systems and personnel by bureaus and\noffices is decentralized, and the system to provide better contractor oversight has not been\ncompleted. For instance, to obtain information on the total number of contractor personnel,\npersonnel from each bureau and office would have to be contacted. DS and the Bureau of\nHuman Resources began collaboration on the development of the Contractor Personnel Support\nSystem. According to DS, once the system is fully implemented and integrated with other\nsystems, it will provide more contractor oversight information for the Department.\n\n       The lack of information security requirements increases the risk that contractor systems\nhave security controls that are inadequate and makes other Department software and hardware\nvulnerable to unauthorized access, use, disclosure, disruption, modification, or destruction.\nAdditionally, without adequate contractor oversight, the Department has minimal assurance that\nthe contractor\xe2\x80\x9fs information security controls are compliant with FISMA, OMB requirements,\nand NIST standards.\n\n       Without an effective mechanism to identify and track contractor personnel who have been\ngranted access and privileges within the Department\xe2\x80\x9fs network and access to the Department\xe2\x80\x9fs\nsoftware, data, and databases, the Department cannot accurately assess whether contractor\npersonnel have received the required information security awareness training and have gone\nthrough the proper security clearance process.\n\n       Recommendation 14. We recommend that the Bureau of Administration review all\n       relevant information technology and professional services contracts to ensure that they\n       contain the required Department of State Acquisition Regulations information security\n       clauses.\n\n       Recommendation 15. We recommend that the Bureau of Diplomatic Security, in\n       coordination with the Bureau of Administration, establish procedures to identify the total\n       number of contractors who have access to Department of State systems.\n\n       Management Comments: In its response, the Department agreed with both\n       recommendations, stating that the Bureau of Administration will review contract\n       processes to ensure that contracts are reviewed before they are signed and that a copy of\n       the updated Quality Assurance Plan will be provided to OIG. The Department further\n       stated that the CIO had developed a procedure to use Active Directory accounts to\n       identify the total number of individuals (including contractors) who have access to the\n       Department\xe2\x80\x9fs network and that compliance with this procedure, which is being enforced\n       by the site scoring process, had begun on November 1, 2010.\n\n       OIG Analysis: Based on the response, OIG considers both recommendations resolved.\n       These recommendations can be closed when OIG reviews and accepts documentation\n       showing that the contracts contain the required DOSAR clauses and verifies that the\n       Department can identify the total number of contractors who have access to the\n       Department\xe2\x80\x9fs network.\n\n\n\n\n                                                                                                 17\n\x0c                                       UNCLASSIFIED\n\n\n\n                                List of Recommendations\nRecommendation 1. We recommend that the Chief Information Officer verify the Federal\nInformation Security Management Act systems inventory list to the Information Technology\nAsset Baseline to ensure that all information technology systems are accurately accounted for.\n\nRecommendation 2. We recommend that the Chief Information Security Officer ensure that\nsystems operated by a contractor, including systems rated low cost and low impact, go through\nthe security authorization process, including completion of a risk assessment and implementation\nof necessary security controls, and that security authorization packages are completed on a\ntimely basis.\n\nRecommendation 3. We recommend that the Chief Information Officer develop a process to\nperiodically update the resources recorded in the plans of action and milestones (POA&M) and\nthat it update, in the POA&Ms, those completion dates for corrective actions that have expired.\n\nRecommendation 4. We recommend that the Chief Information Officer, the Foreign Service\nInstitute, and the Bureau of Diplomatic Security implement methods to enforce the security\nawareness policy to suspend a user\xe2\x80\x9fs access if the user has not taken the Cyber Security\nAwareness course within the required timeframe.\n\nRecommendation 5. We recommend that the Chief Information Officer, the Foreign Service\nInstitute, and the Bureau of Diplomatic Security complete the Department of State\xe2\x80\x9fs corrective\naction plan (which involves Active Directory, security awareness completion data, and iPost) to\nenforce the security awareness policy to suspend a user\xe2\x80\x9fs access if the Cyber Security Awareness\ncourse is not taken within the required timeframe.\n\nRecommendation 6. We recommend that the Chief Information Officer and the Bureau of\nDiplomatic Security define and identify personnel who have significant security responsibilities\nand ensure that they receive the appropriate training. Also, the Student Training Management\nSystem should be modified to capture other training systems, such as those paid for by the\nDepartment of State, to meet continuing professional education requirements.\n\nRecommendation 7. We recommend that the Chief Information Officer complete the end-to-end\nconfiguration management initiative, including implementation of the standard operating\nenvironment.\n\nRecommendation 8. We recommend that the Chief Information Officer install an NIST-\napproved encryption algorithm that controls access to support controls access to OpenNet\nEverywhere (ONE), reconfigure the ONE session timeout setting to 20 minutes, retain remote\naccess authorization forms to show supervisory approval, and document the necessary risk\nassessment to determine the electronic authentication level for ONE.\n\nRecommendation 9. We recommend that the Chief Information Officer enhance the Active\nDirectory account management automated tools to flag accounts that have not been used within\n\n                                                                                                  18\n\x0c                                        UNCLASSIFIED\n\n\nthe past 60 days and ensure that all accounts are configured with passwords that expire every 60\ndays.\n\nRecommendation 10. We recommend that the Chief Information Officer ensure that program\nmanagers and office managers annually review access privileges of users under their supervision\nso that the number of guest, test, and temporary accounts and accounts that have not been used is\nreduced.\n\nRecommendation 11. We recommend that the Bureau of Diplomatic Security implement\nproper staff awareness through training and have shift supervisors, as part of the shift-change\nprocedures, ensure that personally identifiable information data incidents are reported within the\nrequired 1-hour timeframe.\n\nRecommendation 12. We recommend that the Chief Information Officer include, under its\ncontinuous monitoring program scanning results for databases, firewalls, routers, and switches\nand include the results in the Risk Scoring Program dashboard.\n\nRecommendation 13. We recommend that the Chief Information Officer identify the secondary\nsite for the State Messaging and Archive Retrieval Toolset (SMART) system and complete\ndevelopment of the SMART\xe2\x80\x9fs system contingency plan.\n\nRecommendation 14. We recommend that the Bureau of Administration review all relevant\ninformation technology and professional services contracts to ensure that they contain the\nrequired Department of State Acquisition Regulations information security clauses.\n\nRecommendation 15. We recommend that the Bureau of Diplomatic Security, in coordination\nwith the Bureau of Administration, establish procedures to identify the total number of\ncontractors who have access to Department of State systems.\n\n\n\n\n                                                                                                 19\n\x0c                                UNCLASSIFIED\n\n\n\n                                   Acronyms\n\nDepartment   U.S. Department of State\nDOSAR        Department of State Acquisition Regulations\nDS           Bureau of Diplomatic Security\nFIPS         Federal Information Processing Standards\nFISMA        Federal Information Security Management Act\nIRM/IA       Bureau of Information Resource Management, Office of Information\n             Assurance\nISSO         Information System Security Officer\nIT           information technology\nITCCP        Information Technology Change Control Board\nITSP         Information Technology Strategic Plan\nNIST         National Institute of Standards and Technology\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nONE          OpenNet Everywhere\nPII          personally identifiable information\nPOA&M        Plan of Action and Milestones\nSMART        State Messaging and Archive Retrieval Toolset\nUS-CIRT      U.S. Computer Information Readiness Team\nUS-CERT      U.S. Computer Emergency Readiness Team\n\n\n\n\n                                                                                20\n\x0c                                       UNCLASSIFIED\n\n\n                                                                                    Appendix A\n\n                         Objectives, Scope, and Methodology\n\n       In order to fulfill its responsibilities related to the Federal Information Security\nManagement Act (FISMA), the Office of Inspector General (OIG) contracted with Williams,\nAdley & Company, LLP (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this appendix), an independent public\naccountant, to review the Department of State\xe2\x80\x9fs information security program and practices to\ndetermine the effectiveness of such programs and practices for FY 2010.\n\n       FISMA requires each Federal agency to develop, document, and implement an agency-\nwide program to provide information security for the information systems that support the\noperations and assets of the agency, including those provided or managed by another agency,\ncontractor, or other source. To ensure the adequacy and effectiveness of these controls, FISMA\nrequires the agency inspector general or an independent external auditor to perform annual\nreviews of the information security program and to report those results to the Office of\nManagement and Budget (OMB). OMB uses this data to assist in oversight responsibilities and\nto prepare its annual report to Congress regarding agency compliance with FISMA.\n\n        We conducted the review from June through September 2010. In addition, we performed\nthe review in accordance with FISMA, OMB, and NIST guidance. We and OIG believe that the\nevidence obtained provides a reasonable basis for the findings and conclusions represented in\nthis report.\n\n       We used the following laws, regulations and policies, to evaluate the adequacy of the\ncontrols in place at the Department:\n\n       \xef\x82\xb7   OMB Memorandums M-02-01, M-04-04, M-06-19, and M-10-15.\n       \xef\x82\xb7   Department policies and procedures.\n       \xef\x82\xb7   Federal laws, regulations, and standards (such as the Computer Security Act of 1987,\n           FISMA, and OMB Circular A-130, Appendix III.)\n       \xef\x82\xb7   National Institute of Standards and Technology (NIST) Special Publications, Federal\n           Information Systems Processing Publications (FIPS), other applicable NIST\n           publications, and industry best practices.\n\n      The review evaluated the Department\xe2\x80\x9fs information security program policies,\nprocedures, and processes in the following areas:\n\n       \xef\x82\xb7   System inventory.\n       \xef\x82\xb7   Risk management framework (formerly Certification & Accreditation).\n       \xef\x82\xb7   Security configuration management.\n       \xef\x82\xb7   Incident response and reporting.\n       \xef\x82\xb7   Security training.\n       \xef\x82\xb7   Plans of action and milestones (POA&M).\n       \xef\x82\xb7   Remote access.\n\n                                                                                                21\n\x0c                                       UNCLASSIFIED\n\n\n       \xef\x82\xb7   Account and identity management.\n       \xef\x82\xb7   Continuous monitoring.\n       \xef\x82\xb7   Contingency planning.\n       \xef\x82\xb7   Oversight of contractor systems.\n\n       The audit covered the period October 1, 2009, to September 30, 2010. During the\nfieldwork, we took the following actions:\n\n   \xef\x82\xb7   Determined the extent to which the Department\xe2\x80\x9fs information security plans,\n       programs, and practices complied with FISMA requirements; applicable Federal laws,\n       regulations, and standards; relevant OMB Circular A-130, Appendix III, processes\n       and reporting requirements; and NIST and FIPS requirements.\n\n   \xef\x82\xb7   Reviewed all relevant security programs and practices to report on the effectiveness of\n       the Department\xe2\x80\x9fs agency-wide information security program in accordance with OMB\xe2\x80\x9fs\n       annual FISMA reporting instructions. The evaluation approach addressed OMB\n       Memorandum M-10-15, FY 2010 Reporting Instructions for the Federal Information\n       Security Management Act and Agency Privacy Management, which outlines changes to\n       both reporting processes and changes to the questions.\n\n   \xef\x82\xb7   Assessed programs for monitoring of security policy and program compliance and\n       responding to security events (that is, unauthorized changes detected by intrusion\n       detection systems).\n\n   \xef\x82\xb7   Performed testing of major systems at the discretion of OIG. We tested 30 systems for\n       our sample.\n\n   \xef\x82\xb7   Assessed the adequacy of internal controls related to the areas audited. Significant\n       deficiencies identified during the review are reported in the report.\n\n   \xef\x82\xb7   Evaluated the Department\xe2\x80\x9fs remedial action taken to address the previously reported\n       Information Security Program control weaknesses identified in OIG\xe2\x80\x9fs report Review of\n       the Information Security Program at the Department of State (AUD/IT-10-10, Nov.\n       2009).\n\n\n\n\n                                                                                              22\n\x0c                                        UNCLASSIFIED\n\n\n                                                                                       Appendix B\n       Follow-up of Recommendations From the FY 2009 FISMA Report\n        The review team reviewed actions implemented by management to mitigate the findings\nidentified in the FY 2009 FISMA report. The current status of each of the recommendations is as\nfollows:\n\n Recommendation 1: The Chief Information Security Officer, Bureau of Information\n Resource Management, should work with systems owners to identify critical and volatile\n controls that should be tested for each application and system; expand the quality control\n program to include analysis of how well certification testing addresses critical, volatile, and\n inherited controls; and ensure all controls are tested over a 3-year C&A [Certification and\n Accreditation] cycle.\n\n 2010 Status: Partially implemented. The Bureau of Information Resource Management,\n Office of Information Assurance (IRM/IA), has updated the Annual Control Assessment\n Toolkit to incorporate the changes regarding Critical and Volatile Controls. The Annual\n Control Assessment exit criteria checklist has been modified to advise the reviewer to be\n especially vigilant in reviewing all of these controls.\n\n Recommendation 2: The Chief Information Security Officer, Bureau of Information\n Resource Management, and systems owners should supplement the current information\n provided in the C&A Main Toolkit and Inventory Toolkit to include additional guidance for\n annual testing of critical and volatile controls and be more proactive in reviewing Systems\n Security Plans and test results to ensure compliance with the methodology in the C&A\n Toolkits.\n\n 2010 Status: Closed. Annual Control Assessment Toolkit was modified to include\n information on the rationale for selecting Critical &Volatile Controls at the Department\n level. A note was added indicating that the Department has identified CA-3 as a mandatory\n critical control. Main Certification and Accreditation Toolkit was also modified to provide\n more guidance to system owners.\n\n Recommendation 3: The Chief Information Security Officer, Bureau of Information\n Resource Management, and systems owners should update the Contingency Plan (CP)\n Toolkit to include requirements that systems owners should review and revise CP following\n CP failed test results, create POA&M [Plans of Action and Milestones] for failed CP control\n tests, and include verification by the Office of Information Assurance that systems owners\n are complying with CP Toolkits and methodology.\n\n 2010 Status: Closed. Improved guidance was provided in the Contingency Plan Toolkit and\n the exit checklist.\n\n\n\n\n                                                                                                   23\n\x0c                                      UNCLASSIFIED\n\n\n\nRecommendation 4: The Chief Information Security Officer, Bureau of Information\nResource Management, and the Senior Coordinator for Security Infrastructure Directorate\nshould work in an initiative for end-to\xe2\x80\x93end configuration management which will provide a\nsecure operating environment, centralized management of enterprise workstations and server\nconfigurations, and implementation of central patch management. Create an Information\nSecurity Architecture that outlines information security responsibility for the Department of\nState\xe2\x80\x9fs decentralized information security environment.\n\n2010 Status: This is a repeat recommendation from the FY 2009 report. It has become\nRecommendation 7 (Finding E) in the FY 2010 report.\n\nRecommendation 5: The Chief Information Security Officer, Bureau of Information\nResource Management, should work with systems owners to accomplish the following:\n\n   \xef\x82\xb7   Record and report systemic security weaknesses identified through the iPost/ site\n       Scoring process as POA&M actions to ensure that these weaknesses are tracked,\n       prioritized, and remediated.\n\n   \xef\x82\xb7   Report POA&M actions on a quarterly basis for sites that have low scores, requiring\n       them to raise those scores.\n\n   \xef\x82\xb7   Report POA&M actions for risk covered by iPost scoring \xe2\x80\x9cexceptions.\xe2\x80\x9d\n\n2010 Status: Closed. The pilot POA&M Grading Memorandum has been created. The\nsystemic weaknesses and exceptions data are captured in the POA&M.\n\nRecommendation 6: The Chief Information Security Officer, Bureau of Information\nResource Management, should work with systems owners to implement a method that\nprovides timely and complete updates to the POA&M database. Validate the information in\nthe Department POA&M database, and review the Corrective Action Plan report before it is\nsubmitted to OMB.\n\n2010 Status: This is a repeat recommendation from the FY 2009 report. It has become\nRecommendation 3 (Finding C) in the FY 2010 report.\n\nRecommendation 7: The Chief Information Officer, Bureau of Information Resource\nManagement and systems owners should work together to develop, publish, and implement\ndetailed Standard Operating Procedures (SOP) for addressing Information Technology (IT)\naudit related weaknesses and findings.\n\nStatus: Closed. An SOP was created.\n\n\n\n\n                                                                                                24\n\x0c                                       UNCLASSIFIED\n\n\nRecommendation 8: The Director of the Office of Computer Security, Bureau of\nDiplomatic Security in coordination with the Director of the Foreign Service Institute should\nimplement methods to globally enforce the security awareness policies and enhance existing\nmethods to identify users who should take the Cyber Security Awareness Training Course.\n\n2010 Status: This is a repeat recommendation from the FY 2009 report. It has become\nRecommendations 4 and 5 (Finding D) in the FY 2010 report, of which both\nrecommendations are closed.\n\nRecommendation 9: The Bureau of Diplomatic Security, Assistant Director of Training, the\nBureau of Information Resource Management, Chief Information Officer, and the Bureau\nsystem owners should improve methods to identify individuals with significant security\nresponsibilities, ensure that they take the required training every 3 years, record the training\nrecords in the Office of Personnel Management-approved centralized system, and provide\nmanagement with tools to monitor compliance with the training requirement.\n\n2010 Status: This is a repeat recommendation from the FY 2009 report. It has become\nRecommendation 6 (Finding D) in the FY 2010 report.\n\nRecommendation 11 (from FY 2008): The Chief Information Officer should establish a\nprocess to monitor and validate security awareness training provided to those individuals\nwithout access to Department networks.\n\n2010 Status: Open. The Department is in the process of developing a program.\n\n\n\n\n                                                                                                   25\n\x0c                                            UNCLASSIFIED\n\n\n                                                                                                                      Appendix C\n\n\n                                                                              United States Ocpllrtment or State\n                                                                                            Department of  . tate\n\n                                                                              Ch ie/\n                                                                                  e[ln/armUfim,O/ji\n                                                                                    ln[urmul; on O[jict:e r\n                                                                              In/ormation Rce~fl\n                                                                              In/ormati()n   \\oururce\n                                                                                                   ct! Munu\n                                                                                                       MunuKC!nr\n                                                                                                            /:emee nl\n                                                                                                                   nt\n\n                                                                              Wu s /ri"K\'mf , D. C.l\n                                                                              ,Yu..\\/,;nKlm"D        0510(J-63\n                                                                                                 C. 105]   -63 11\n                                                                               Nov e mber 8, 20 I 0\n                                                                               November\n\nUNCLASS\nUNC LASSIFI\n        IFI E D\nMEMORANDUM\nMEM O RAND UM\n\nTO::\nTO               OIG - Mr. Ha ro ld W.. Geeise\n                                           isell\n\nF RO\n  ROMM:                Suss an H..\n                 IRM - Su                Sw~\nSU BJ ECT : De partm ent Re\nSUBJECT:                   Ress po nse 10 Draft\n                                       to Dr        po rt o n R evie\n                                             aft Re port        eview     Departm\n                                                                     w of O partmeelll\n                                                                                   nt of\n                                                                                       of\n            Stat e Sec\n                   Secuurity Prog ram\n\nR EF\n  EF::           OIIG\n                    G M e mo Da te d No v . 1I , 20 10\n                                                    I 0 S ubject: Dr                   eviie w of\n                                                                  Draaft Re port o n R ev\n                 Departm\n                   partmeent of State Sec\n                                      Security\n                                          urity Pr\n                                                Prog\n                                                   ogram\n                                                     ram\n\nThank\nTh ank yo u fo r th  thee o pp o rtunity\n                            ppor  tunit y to prov\n                                               provid idee c o mm\n                                                               mmee ntntss o n the draft F ISMA Report for\n20 10.. O ur re s pon\n                    po nse\n                         se to the a nnual\n                                       nnual FISMA rev      review\n                                                                iew is a lltt ac\n                                                                              ached\n                                                                                 hed , and was coo  coordin\n                                                                                                          rdin ated\nwith\nwi th t he Bur\n            Burea eauu o f Di ploo m a ti c Sec\n                           Dipl             Securit\n                                                  urityy , Bureau o f Administ\n                                                                         Administrra ti o n , Bur\n                                                                                                Bureaea u o f\nHumaa n Reso u rces a nd th e Fo reig\nHum                                        eignn Se\n                                                  Serv    ce In\n                                                     rviice     s titute\n                                                              Inst itute . Ple  ase co nsi\n                                                                            Please       s idd e r thi\n                                                                                                   thiss a\ncon\nco nso\n    solid\n        lidaa te d repl\n                    eplyy 10\n                          to yo u r re\n                                    reququeses t.\n\nWee have focused o ur co\n                      comm\n                         mme\n                           ent\n                             ntss o n wheth\n                                      w hethe\n                                            er or nO\n                                                   oIt th\n                                                       thee Department accep\n                                                                       acceptts\n                                                                              s the\n ecommend\nreco mmendaa tion as part o f thi     nnual F ISMA a udit\n                              thiss a nnual          udit,, as requested .\n\nWhen we agreed withwi th a re comm\n                              co mmendati\n                                    endatio  o n , we h a ve described\n                                                                desc ribed how we p lan to cl\n                                                                                           close\n                                                                                              ose\nit. We p rop\n         ropose\n             ose the\n                  hese\n                     se reco\n                         ecomm    endati o nss be co\n                              mmendation           con    idee re d resol\n                                                      n s id        resolve\n                                                                          ved\n                                                                            d.\n\nWith\nWi th regard\n       ega rd to th\n                  thee fac\n                        actu\n                           tu a lit\n                                li tyy o f the det\n                                               detai\n                                                   ai le d fi\n                                                           fmdin\n                                                              nd ings,\n                                                                   gs, the Depanment\'\n                                                                            Department\' s re\n                                                                                          ress pons\n                                                                                                onsee\nprimarillyy focused\nprimari               upo\n            foc used up  o n those iss  issues         we re ma te rial\n                                            ues th a t were         ri al to Recommend    tio ns due to\n                                                                             Recommendaa tions\no ur mutual desir\n            desiree to g i ve th\n                              thee Sec\n                                   Secret       time fo r review of thi s resspo nse.\n                                       ret ar y lime\n\nWe esesppeci\n         ecially\n             all y a pprec\n                     ppreciiate the\n                                th e professiona lilissm o f M s. Kl\n                                                                  Klemstine\n                                                                     emstine th\n                                                                              through\n                                                                                ro ug ho\n                                                                                       o ut thi\n                                                                                             thiss\nrev iew.. We loo\nreview           ookk forwa\n                       orward rd to planning\n                                     plann ing th\n                                               thee 201100 review wiwitth the meember\n                                                                                 mbe rss of\n                                                                                          o f yo ur\nltea\n  eamrn at yo ur co\n           your     nve nience\n                 convenien  ce..\n\n\n\n\n                                                                                                                              26\n\x0c                             UNCLASSIFIED\n\n\n\n\n                              UNCLASSIF IED\n                              UNCLASSIFIED\n                                      2\nAttachm ent: Department Response to Draft Report on Review of Department of\nAttachment:\n             State Security Program\n\n\n\n\n                              UNCLASSIFI ED\n                              UNCLASSIFIED\n\n\n\n\n                                                                              27\n\x0c                                      UNCLASSIFIED\n\n\n   Department Response to Draft Report on Review of Department of State Security Program\n\n\nFISMA Inventory:\n\nSummary Finding: The Department\xe2\x80\x99s inventory management processes and procedures do\nnot ensure that an accurate inventory of FISMA reportable systems is maintained.\nWithout an accurate FISMA system inventory list, the Department\xe2\x80\x99s process to support\ninformation resources management for technology planning, budgeting, and acquisition\nmay be hampered.\n\nRecommendation 1. We recommend that the Chief Information Officer verify the FISMA\nsystems inventory list to the Information Technology Asset Baseline to ensure that all\ninformation technology systems are accurately accounted for.\n\nDepartment Response: We accept this recommendation and request that it be closed. \xe2\x80\x93 We\nare pleased the OIG found all systems needed in inventory were present. Based upon the OIG\xe2\x80\x9fs\nfindings related to this Recommendation, namely the Department\xe2\x80\x9fs inclusion of retired systems\nin its asset and FISMA inventory, the Recommendation should be closed. As a matter of policy,\nretired systems are not removed from the asset inventory (ITAB), but marked as retired, when\nappropriate. This ensures maintenance of historical records. The closure of the recommendation\nis warranted because there is no prohibition of inclusion of retired systems in inventory. The\nDepartment would expect to remove retired systems in FISMA inventory in the next quarter in\nwhich action such as an annual test or C&A was required for that system. Having the system\nremain in inventory until this trigger event causes review (and change to retired status) has no\nharmful effect on security. The Department would be happy to meet with OIG staff to discuss\nhow we might improve this process. We recommend that the recommendation be closed.\n\n\nRisk Management Framework:\n\nSummary Finding: The security authorization process was not performed on all\ncontractor systems, and the security authorization packages had expired for four systems.\nThese conditions weaken the Department\xe2\x80\x99s risk management framework because changes\nwithin the systems and the systems\xe2\x80\x99 control environment may introduce new risks and\nvulnerabilities into the Department\xe2\x80\x99s environment.\n\nRecommendation 2. We recommend that the Chief Information Security Officer ensure\nthat systems operated by a contractor, including systems rated low cost and low impact, go\nthrough the security authorization process, including completion of a risk assessment and\nimplementation of necessary security controls, and that security authorization packages\nare completed on a timely basis.\n\nDepartment Response: Request Revision to Recommendation. \xe2\x80\x93 The Department requests the\nRecommendation and findings be revised to remove references to low-cost/low-impact systems.\nNIST SP 800-37 gives federal agencies considerable discretion in the selection of system\naccreditation boundaries. Moreover, OMB A-130 only requires certification and accreditation\n\n                                                                                              28\n\x0c                                      UNCLASSIFIED\n\n\n(vice control definition and testing) for major information systems. Consistent with OMB and\naccepted by previous OIG reviews, the Department has defined low-impact/low-cost systems in\nsuch a manner they are included within the accreditation boundary of the network on which they\nrun. The Department can provide detailed documentation and justification of this decision,\nwhich has been used since 2007. If the Recommendation is revised as requested, the Department\nwill request closure of the recommendation when all applicable systems, as defined by the\nDepartment have completed C&A.\n\n\nPlans of Actions and Milestones:\n\nSummary Finding: The Department did not prioritize the severity of security weaknesses,\nconsistently record required resources for remediation of security weaknesses, and update\nremediation schedules to reflect actual performance, all of which impeded the\nDepartment\xe2\x80\x99s ability to assess and monitor the progress of corrective actions.\n\nRecommendation 3. We recommend that the Chief Information Officer develop criteria\nfor system owners to prioritize Plan of Action and Milestones (POA&M) corrective actions;\ndevelop a process to periodically update the resources recorded in the POA&Ms; and\nupdate, in the POA&Ms, those completion dates for corrective actions that have expired.\n\nDepartment Response: Request Revision to Recommendation. \xe2\x80\x93 The Department of State\nPOA&M system prioritizes all findings as high, moderate and/or low. Thus, the Department\nrequests the OIG remove references to a lack of prioritization from its Findings and\nRecommendation. Given the changes to reporting requirements under cyber-scope, the\nDepartment will seek DHS (with OIG, if the OIG so desires) clarification on the desired\ntimeliness and level of aggregation of these updates, and request closure of this revised\nRecommendation when the Department\xe2\x80\x9fs performance meets current DHS requirements.\n\n\nSecurity Awareness Training:\n\nSummary Finding: Four of 25 employees tested had completed the initial information\nsecurity awareness training. The Department did not identify all employees who had\nsignificant security responsibilities and provide specialized training, as required by NIST.\nOne employee in our test of employees hired in FY 2010 did not have the required security\nclearance.\n\nRecommendation 4. We recommend that the Chief Information Officer, the Foreign\nService Institute, and the Bureau of Diplomatic Security implement methods to enforce the\nsecurity awareness policy to suspend a user\xe2\x80\x99s access if the user has not taken the Cyber\nSecurity Awareness course within the required timeframe.\n\nRecommendation 5. We recommend that the Chief Information Officer, the Foreign\nService Institute, and the Bureau of Diplomatic Security complete the Department of\nState\xe2\x80\x99s corrective action plan (which involves Active Directory, security awareness\n\n                                                                                            29\n\x0c                                       UNCLASSIFIED\n\n\ncompletion data, and iPost) to enforce the security awareness policy to suspend a user\xe2\x80\x99s\naccess if the Cyber Security Awareness course is not taken within the required timeframe.\n\nDepartment Response: Request Recommendation Be Closed. \xe2\x80\x93 The Department agrees that\nthe means for ensuring completion of awareness training should be strengthened. However,\nexamination of the data provided regarding the four users found not to have completed\nawareness training indicates that of the four, only one user had not taken the training. Of the\nthree remaining users, two had expired accounts and one did not yet have an active account.\n\nThe Department has recently implemented the corrective action plan by taking the following\nactions: (1) the PS800 Annual Cyber Security Awareness course is being updated to\nautomatically reset user accounts to expire 365 days from successful completion of the course;\nand (2) PS800 course completion data is being posted in iPost and incorporated into site risk\nscoring. This allows the ISSOs to identify users who are not in compliance and enforce\nDepartment policy. Given these actions, the Department requests the recommendation be closed\nand the associated Executive Summary language be revised.\n\nRecommendation 6. [6.1:] We recommend that the Chief Information Officer and the\nBureau of Diplomatic Security define and identify personnel who have significant security\nresponsibilities and ensure that they receive the appropriate training. [6.2:]Also, the\nStudent Training Management System should be modified to capture other training\nsystems, such as those paid for by the Department of State, to meet continuing professional\neducation requirements.\n\nDepartment Response for 6.1: Agree with Recommendation. \xe2\x80\x93 The Department agrees with\nthis part of the Recommendation. The Department will assign primary responsibility for\nidentification of personnel who have significant security responsibilities to the Bureau of\nDiplomatic Security, and the Bureau of Information Resource Management will be consulted for\npolicy guidance. DS has set aside funding in FY11 to conduct an analysis of the best method for\nidentifying and tracking these personnel.\n\nDepartment Response for 6.2: Agree with Recommendation. \xe2\x80\x93 The Student Training\nManagement System is the only official authorized management training system for the\nDepartment of State records and includes training funded by the Department. HR\xe2\x80\x9fs GEMS\nprovides a mechanism called Employee Profile for individuals to record other training taken.\nDuplication of either function is unnecessary. In determining if those with significant security\nresponsibilities have met the training and development criteria, the Department will make use of\nthese existing resources and determine the most cost-effective method of extracting and\npresenting all relevant data from these systems. This will be done after 6.1 is completed. Upon\ncompletion of Part 6.2, the Department will request closure of this Recommendation.\n\n\n\n\n                                                                                                  30\n\x0c                                      UNCLASSIFIED\n\n\nSecurity Configuration Management:\n\n\nSummary Finding: Twenty-four of 25 systems tested were not compliant with the security\nconfiguration guidance provided by the Bureau of Diplomatic Security (DS), and seven of\n25 systems did not have the vendor-required critical or high priority software patches to be\ninstalled. Without sufficient configuration management, the Department\xe2\x80\x99s data may be\nexposed to loss of integrity and confidentiality because configuration standards may not be\nimplemented.\n\nRecommendation 7. We recommend that the Chief Information Officer complete the end-\nto-end configuration management initiative, including implementation of the standard\noperating environment.\n\nDepartment Response: Agree with this Recommendation. \xe2\x80\x93 The end-to-end configuration\nmanagement initiative has several elements including centralization of patching and automated\nenforcement of configuration standards. Patch support has now been centralized to over half of\nthe Department with full coverage scheduled for completion in fiscal year 2011. Automated\nenforcement of configuration standards is currently being piloted with broader deployment\nexpected over the next two fiscal years. Further, the Department\xe2\x80\x9fs continuous monitoring has\nbrought significant results. The iPost risk scoring mechanisms are designed to score systems\nagainst the recommended and mandatory standards for the owners, who retain responsibility for\nthe compliance and patching of their systems. Any individual system may have some minor\nvariations and not represent a substantial cyber risk, but will be flagged by our risk scoring\nmethodology.\n\nWithout knowing the cumulative risk score for the 25 sampled systems, the risk cannot be\nproperly assessed. It should be noted this approach has significantly reduced the number of\nconfiguration and patch problems over the last two years (by 90%). The Department\xe2\x80\x9fs policy\nand configuration guidance are part of a Risk Management approach balancing business need\nwith cyber risk. The Department will request closure when implementation of these initiatives\nhas made significant progress.\n\n\nOpenNet Everywhere:\n\n(b)(2)(b)(5)\n\n\n\n\nRecommendation 8. We recommend that the Chief Information Officer (b)(2)(b)(5)\n\n\n\n\n                                                                                                31\n\x0c                                       UNCLASSIFIED\n\n\n(b)(2)(b)(5)                                                      and document the\nnecessary risk assessment to determine the electronic authentication level for ONE.\ncompletion data, and iPost) to enforce the security awareness policy to suspend a user\xe2\x80\x99s\naccess if the Cyber Security Awareness course is not taken within the required timeframe.\n\nDepartment Response: Request Recommendation Be Closed. \xe2\x80\x93 The Department agrees that\nthe means for ensuring completion of awareness training should be strengthened. However,\nexamination of the data provided regarding the four users found not to have completed\nawareness training indicates that of the four, only one user had not taken the training. Of the\nthree remaining users, two had expired accounts and one did not yet have an active account.\n\nThe Department has recently implemented the corrective action plan by taking the following\nactions: (1) the PS800 Annual Cyber Security Awareness course is being updated to\nautomatically reset user accounts to expire 365 days from successful completion of the course;\nand (2) PS800 course completion data is being posted in iPost and incorporated into site risk\nscoring. This allows the ISSOs to identify users who are not in compliance and enforce\nDepartment policy. Given these actions, the Department requests the recommendation be closed\nand the associated Executive Summary language be revised.\n\nRecommendation 6. [6.1:] We recommend that the Chief Information Officer and the\nBureau of Diplomatic Security define and identify personnel who have significant security\nresponsibilities and ensure that they receive the appropriate training. [6.2:]Also, the\nStudent Training Management System should be modified to capture other training\nsystems, such as those paid for by the Department of State, to meet continuing professional\neducation requirements.\n\nDepartment Response for 6.1: Agree with Recommendation. \xe2\x80\x93 The Department agrees with\nthis part of the Recommendation. The Department will assign primary responsibility for\nidentification of personnel who have significant security responsibilities to the Bureau of\nDiplomatic Security, and the Bureau of Information Resource Management will be consulted for\npolicy guidance. DS has set aside funding in FY11 to conduct an analysis of the best method for\nidentifying and tracking these personnel.\n\nDepartment Response for 6.2: Agree with Recommendation. \xe2\x80\x93 The Student Training\nManagement System is the only official authorized management training system for the\nDepartment of State records and includes training funded by the Department. HR\xe2\x80\x9fs GEMS\nprovides a mechanism called Employee Profile for individuals to record other training taken.\nDuplication of either function is unnecessary. In determining if those with significant security\nresponsibilities have met the training and development criteria, the Department will make use of\nthese existing resources and determine the most cost-effective method of extracting and\npresenting all relevant data from these systems. This will be done after 6.1 is completed. Upon\ncompletion of Part 6.2, the Department will request closure of this Recommendation.\n\n\n\n\n                                                                                                  32\n\x0c                                      UNCLASSIFIED\n\n\nSecurity Configuration Management:\n\n\nSummary Finding: Twenty-four of 25 systems tested were not compliant with the security\nconfiguration guidance provided by the Bureau of Diplomatic Security (DS), and seven of\n25 systems did not have the vendor-required critical or high priority software patches to be\ninstalled. Without sufficient configuration management, the Department\xe2\x80\x99s data may be\nexposed to loss of integrity and confidentiality because configuration standards may not be\nimplemented.\n\nRecommendation 7. We recommend that the Chief Information Officer complete the end-\nto-end configuration management initiative, including implementation of the standard\noperating environment.\n\nDepartment Response: Agree with this Recommendation. \xe2\x80\x93 The end-to-end configuration\nmanagement initiative has several elements including centralization of patching and automated\nenforcement of configuration standards. Patch support has now been centralized to over half of\nthe Department with full coverage scheduled for completion in fiscal year 2011. Automated\nenforcement of configuration standards is currently being piloted with broader deployment\nexpected over the next two fiscal years. Further, the Department\xe2\x80\x9fs continuous monitoring has\nbrought significant results. The iPost risk scoring mechanisms are designed to score systems\nagainst the recommended and mandatory standards for the owners, who retain responsibility for\nthe compliance and patching of their systems. Any individual system may have some minor\nvariations and not represent a substantial cyber risk, but will be flagged by our risk scoring\nmethodology.\n\nWithout knowing the cumulative risk score for the 25 sampled systems, the risk cannot be\nproperly assessed. It should be noted this approach has significantly reduced the number of\nconfiguration and patch problems over the last two years (by 90%). The Department\xe2\x80\x9fs policy\nand configuration guidance are part of a Risk Management approach balancing business need\nwith cyber risk. The Department will request closure when implementation of these initiatives\nhas made significant progress.\n\n\nOpenNet Everywhere:\n\n\n\n\nRecommendation 8. We recommend that the Chief Information Officer\n\n\n\n\n                                                                                                33\n\x0c                                       UNCLASSIFIED\n\n\n                                                                  and document the\nnecessary risk assessment to determine the electronic authentication level for ONE.\nDepartment Response: Agree with Recommendation. \xe2\x80\x93 The Department is currently replacing\nONE with a new system called Global OpenNet (GO) (b)(2)(b)(5)\n                                                    We will request closure when GO has\nbeen implemented and meets the intent of this recommendation.\n\n\nAccount Management:\n\nSummary Finding: From a population of approximately 83,000 Active Directory accounts,\nwe found approximately 1,000 guest, test, and temporary accounts; 8,000 accounts that had\nnot been used (never logged on); and 600 accounts that had passwords that were set so that\nthey would not expire. Therefore, these accounts are susceptible to being compromised by\nunauthorized users for unauthorized purposes.\n\nRecommendation 9. We recommend that the Chief Information Officer enhance the Active\nDirectory account management automated tools to flag accounts that have not been used\nwithin the past 60 days and ensure that all accounts are configured with passwords that\nexpire every 60 days.\n\nRecommendation 10. We recommend that the Chief Information Officer ensure that\nprogram managers and office managers annually review access privileges of users under\ntheir supervision so that the number of guest, test, and temporary accounts and accounts\nthat have not been used is reduced.\n\nDepartment Response: Agree with Recommendations 9 & 10. \xe2\x80\x93 Service accounts are critical\nto the operations of systems and applications. These accounts are necessary but are strictly\nadministered and monitored. Deleting or expiring these accounts would have serious, negative\nimpact on operations. Shared accounts are often created to provide shared access to\norganizational or functional mailboxes. These accounts are also strictly administered and\nmonitored. Individuals do log on using either type account, thus creating a sizable numbers of\naccounts that never register a log-on. Flagging these accounts as directed by the applicable\nRecommendation would be overly cumbersome and would prove of little security value.\n\nHowever, in the interests of addressing the underlying issue, the continuous monitoring approach\ntakes the password expiring after 60 days into consideration. Any accounts not compliant with\nthis standard negatively impact site scores. This includes accounts with passwords set never to\nexpire. The Department believes this meets the second half of Recommendation 9. The\nDepartment believes the \xe2\x80\x9emanager\xe2\x80\x9f field in Active Directory identifies the individual responsible\nfor all accounts, including service, guest, and test accounts and as such, the Department will use\nthis foundation to act upon Recommendation 10.\nPersonally Identifiable Information:\n\nSummary Finding: We found six instances in which the Department did not report\npersonally identifiable information (PII) data incidents to the U.S. Computer Emergency\n\n                                                                                                 34\n\x0c                                        UNCLASSIFIED\n\n\nResponse Team (US-CERT) within 1 hour of suspecting or confirming a security breach, as\nrequired by OMB. Failure to notify US-CERT within the required timeframe increases the\nrisk to individuals that their PII data may be misused. Also, the Department may be in\nviolation of Federal laws.\n\nRecommendation 11. We recommend that the Bureau of Diplomatic Security implement\nproper staff awareness through training and have shift supervisors, as part of the shift-\nchange procedures, ensure that personally identifiable information data incidents are\nreported to the U.S. Computer Emergency Response Team within the required 1-hour\ntimeframe.\n\nDepartment Response: Request Recommendation be Closed. \xe2\x80\x93 The Department is committed\nto meeting the requirement of reporting PII data incidents to US-CERT as expeditiously as\npossible and has explicitly stated as such in Department policy (5 FAM 460) and the Computer\nIncident Response Team\xe2\x80\x9fs (CIRT) standard operating procedures, which delineate in detail how\nPII incident reports are handled internally and routed to US-CERT. The CIRT procedures are\ndesigned to ensure that incoming reports of missing PII are reviewed and validated so as to avoid\nfalse positives and address simultaneously any related network security issues. Once this\nevaluation is completed, CIRT generates a PII ticket and relevant incident information is referred\nto US-CERT within 1-hour.\n\nDuring the course of this FISMA evaluation, CIRT undertook the following steps to further\nenhance the Department\xe2\x80\x9fs ability to review and report PII incidents:\n         \xef\x82\xb7 As of July 1, 2010 the CIRT team assigned an analyst to monitor the incident in-\n             box for PII reports and assign incoming PII reports priority status for evaluation.\n         \xef\x82\xb7 DS is continuing to develop its new ticket tracking database which will enable\n             CIRT to automatically designate incoming PII reports priority status.\n\nGiven these actions, the Department requests this recommendation be closed.\n\n\nContinuous Monitoring Program:\n\nSummary Finding: The scanning tools do not assess the Oracle configuration, the\nDepartment\xe2\x80\x99s most common database system, for configuration control weaknesses that\ncould adversely impact application access controls. Scanning results for routers, firewalls,\nand Demilitarized Zone servers were not available in iPost; therefore, the results were not\nused in risk scoring.\n\nRecommendation 12. We recommend that the Chief Information Officer develop a\ncontinuous monitoring strategy.\nDepartment Response: Request Modification of Recommendation and Associated Text. \xe2\x80\x93 The\nDepartment has previously provided documentation to the OIG that the Department\xe2\x80\x9fs strategy\nincludes these elements. Moreover, the Department performs this kind of monitoring during\nannual testing and C&A, as required. The Department requests that the Recommendation be\nrevised to say that \xe2\x80\x9cthe Risk Scoring Program implement the Department\xe2\x80\x9fs CM strategy to\n\n                                                                                                   35\n\x0c                                       UNCLASSIFIED\n\n\ninclude scanning of databases, firewalls, routers, and switches on a more frequent basis and\ninclusion of the results into its dashboard\xe2\x80\x9d. The Department also notes that the level and\nfrequency of continuous monitoring being requested is not required by FISMA or its associated\nauthorities.\n\nPartial Finding: The SMART contingency plan is still in draft form because a secondary\n(or backup) site for SMART has not been identified, causing the delay in finalizing the\ncontingency plan.\n\nRecommendation 13. We recommend that the Chief Information Officer identify the\nsecondary site for the State Messaging and Archive Retrieval Toolset (SMART) system and\ncomplete development of SMART\xe2\x80\x99s system contingency plan.\n\nDepartment Response: Agree with Recommendation. \xe2\x80\x93 The Department has identified ESOC\nEast as the secondary site for SMART. The Department is implementing our contingency plan\nin stages. Stage 1 of the plan is complete and includes daily full backups of SMART data offsite\nat ESOC East. Stage 2 of the plan will greatly reduce the length of time required to restore\nSMART functionality offsite. SMART\xe2\x80\x9fs contingency system design documentation has\nsuccessfully passed a peer review including external stakeholders. The design documentation\ndescribes a contingency solution that will provide SMART functionality within hours of either a\nplanned or emergency failover. The completed contingency plan as well the contingency system\nitself will be developed and tested by September 2011. Upon completion of the contingency\nplan, the Department will request closure of this Recommendation.\n\n\nRecommendation 14. We recommend that the Bureau of Administration review all\nrelevant information technology and professional services contracts to ensure that they\ncontain the required Department of State Acquisition Regulations information security\nclauses.\n\nDepartment Response: Agree with Recommendation. \xe2\x80\x93 The Bureau of Administration will\nreview contract processes to ensure contracts are reviewed prior to final signatures. Such\nreviews will include whether or not the applicable provisions are included in relevant\ninformation technology and professional service contracts. Upon completion of this review,\nAQM will issue an updated Quality Assurance Plan and provide a copy to the OIG. Upon\ndocumented establishment of these processes, the Department will request closure of the\nRecommendation.\nRecommendation 15. We recommend that the Bureau of Diplomatic Security, in\ncoordination with the Bureau of Administration, establish procedures to identify the total\nnumber of contractors who have access to Department of State systems.\n\nDepartment Response: Agree with Recommendation. \xe2\x80\x93 The Chief Information Officer has\ndeveloped a procedure to use Active Directory accounts to identify the total number of persons\n(including contractors) who have access to the Department\xe2\x80\x9fs network. Compliance with this\nprocedure is being enforced by a process of site scoring, which started on November 1, 2010.\nUpon implementation of this process, the Department will request closure of this\nRecommendation.\n\n                                                                                                 36\n\x0c'